COBIT 5 Product Family COBIT 5 COBIT 5 Enabler Guides COBIT 5: Enabling es COBIT 5: Enabling Information Other Enabler Guides COBIT 5 Professional Guides COBIT 5 Implementation COBIT 5 for Information Security COBIT 5 for Assurance COBIT 5 for Other Professional Guides COBIT 5 Online Collaborative Environment Source: COBIT 5 for, figure 1 COBIT 5 Principles 1. Meeting Stakeholder Needs 5. Separating From COBIT 5 Principles 2. Covering the Enterprise End-to-end 4. Enabling a Holistic Approach 3. Applying a Single Integrated Framework Source: COBIT 5, figure 2 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org Web site: www.isaca.org
COBIT 5 Goals Cascade Overview Stakeholder Drivers (Environment, Technology Evolution, ) Stakeholder Needs Influence Benefits Realisation Resource Cascade to Enterprise Goals Cascade to IT-related Goals Cascade to Enabler Goals Source: COBIT 5, figure 4 Selected Guidance From the COBIT 5 Family These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise leaders, team members, clients and/or consultants. COBIT enables enterprises to maximise the value and minimise the risk related to information, which has become the currency of the 21 st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical tools and models that can help any enterprise effectively address critical business issues related to the governance and management of information and technology. Additional information is available at www.isaca.org/cobit.
and in COBIT 5 Objective: Value Creation Benefits Realisation Resource Enablers Scope Roles, Activities and Relationships Source: COBIT 5, figure 8 Key Roles, Activities and Relationships Roles, Activities and Relationships Owners and Stakeholders Delegate Accountable Governing Body Set Direction Monitor Instruct and Align Report Operations and Execution Source: COBIT 5, figure 9 COBIT 5 and Key Areas Business Needs Evaluate Direct Feedback Monitor Plan (APO) Build (BAI) Run (DSS) Monitor (MEA) Source: COBIT 5, figure 15
Two s on Function The risk function perspective describes how to build and sustain a risk function in the enterprise by using the COBIT 5 enablers. Function es Information COBIT 5 Enablers Organisational Structures Principles, Policies and Frameworks Services, Infrastructure and Applications Culture, Ethics and Behaviour People, Skills and Competencies The risk management perspective looks at core risk governance and risk managment processes and risk scenarios. This perspective describes how risk can be mitigated by using COBIT 5 enablers. Source: COBIT 5 for, figure 8 Scope of COBIT 5 for COBIT 5 for es Information COBIT 5 Enablers for the Function Organisational Structures Principles, Policies and Frameworks Services, Infrastructure and Applications Culture, Ethics and Behaviour People, Skills and Competencies Function Core es Scenarios Mapping Scenarios to COBIT 5 Enablers COBIT 5 Framework COBIT 5: Enabling es COSO ERM ISO 31000 ISO/IEC 27005 Others ITIL. ISO/IEC 20000 ISO/IEC 27001/2 Others Enterprise Standards IT Frameworks Source: COBIT 5 for, figure 10
The (AP012) Scenario Overview All Related Enablers Principles, Policies and Frameworks Organisational Structures Culture, Ethics and Behaviour APO12.01 Collect Data APO12.02 Analyse APO12.03 Maintain a Profile Top Down Business Goals Identify business objectives. Identify scenarios with highest impact on achievement of business objectives. Scenarios Factors Internal Environmental Factors External Environmental Factors Information Services, Infrastructure and Applications People, Skills and Competencies APO12.04 Articulate APO12.05 Define a Action Portfolio APO12.06 Respond to Identify hypothetical scenarios. Reduce through high-level analysis. Generic Scenarios Bottom Up Capabilities IT-related Capabilities Source: COBIT 5 for, figure 34 Scenario Structure Threat Type Malicious Accidental Error Failure Nature External requirement Event Disclosure Interruption Modification Theft Destruction Ineffective design Ineffective execution Rules and regulations Inappropriate use Asset/Resource People and skills Organisational structures Infrastructure (facilities) IT infrastructure Information Applications Actor Internal (staff, contractor) External (competitor, outsider, business partner, regulator, market) Scenario Time Duration Timing occurrence (critical or non-critical) Detection Time lag Source: COBIT 5 for, figure 36
Supporting es for the Function es for of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure EDM04 Ensure Resource EDM05 Ensure Stakeholder Transparency Align, Plan and Organise Monitor, Evaluate and Assess APO01 Manage the IT Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage APO13 Manage Security MEA01 Monitor, Evaluate and Assess Performance and Conformance Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning MEA02 Monitor, Evaluate and Assess the System of Internal Control BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Controls MEA03 Monitor, Evaluate and Assess Compliance With External Requirements es for of Enterprise IT This figure highlights the key supporting COBIT 5 processes (shown in dark pink), as well as the other supporting processes (shown in light pink). The core risk processes are shown in light blue. Source: COBIT 5 for, figure 18
COBIT 5 Enterprise Enablers 2. es 3. Organisational Structures 4. Culture, Ethics and Behaviour 1. Principles, Policies and Frameworks 5. Information 6. Services, Infrastructure and Applications Resources 7. People, Skills and Competencies Source: COBIT 5, figure 12 COBIT 5 Enablers: Generic Enabler Dimension Stakeholders Goals Life Cycle Good Practices Internal Stakeholders External Stakeholders Intrinsic Quality Contextual Quality (Relevance, Effectiveness) Accessibility and Security Plan Design Build/Acquire/ Create/Implement Use/Operate Evaluate/Monitor Update/Dispose Practices Work Products (Inputs/Outputs) Enabler Performance Are Stakeholders Needs Addressed? Are Enabler Goals Achieved? Metrics for Achievement of Goals (Lag Indicators) Is Life Cycle Managed? Are Good Practices Applied? Metrics for Application of Practice (Lead Indicators) Source: COBIT 5, figure 13
The Seven Phases of the Implementation Life Cycle 6 Did we get there? 5 How do we get there? 7 How do we keep the momentum going? Realise benefits Embed new Execute plan approaches Review effectiveness Operate and use Operate Sustain and measure Implement improvements Monitor and evaluate Build improvements Identify role players Plan programme 4 What needs to be done? 1 What are the drivers? Initiate programme Establish desire to change Recognise need to act state Define target Assess current state Form implementation team outcome Communicate Define problems and opportunities Define road map 3 Where do we want to be? 2 Where are we now? Programme management (outer ring) Change enablement (middle ring) Continual improvement life cycle (inner ring) Source: COBIT 5, figure 17 and COBIT 5 Implementation, figure 6 Summary of the COBIT 5 Capability Model Generic Capability Attributes Performance Attribute (PA) 1.1 Performance PA 2.1 PA 2.2 Performance Work Product PA 3.1 Definition PA 3.2 Deployment PA 4.1 PA 4.2 Control PA 5.1 Innovation PA 5.2 Incomplete Performed Managed Established Predictable Optimising 0 1 2 3 4 5 COBIT 5 Assessment Model Performance Indicators Outcomes COBIT 5 Assessment Model Capability Indicators Base Practices (/ Practices) Work Products (Inputs/ Outputs) Generic Practices Generic Resources Generic Work Products Source: COBIT 5, figure 19